EIQ-2022-0001#

ID	EIQ-2022-0001
CVE	CVE-2021-23727
Description	Celery ≤ 5.2.1 is vulnerable to stored command injection
Date	6 January 2022
Severity	2 - MEDIUM
CVSSv3 score	6.6
Status	✅ 2.12.0
Assessment	Celery 5.2.1 and earlier is vulnerable to stored command injection. An attacker can store a malicious command as task metadata in the Celery backend. When an exception is triggered, celery deserializes and reads that particular task’s metadata, consequently executing the malicious command. To exploit this vulnerability, the attacker must have direct access to the Celery backend. The Intelligence Center uses Redis as its Celery backend, and partially mitigates this vulnerability with the following defaults: Secured with a generated password stored at `/etc/eclecticiq-redis/local.conf`. Bound to `127.0.0.1` for single-machine installations, allowing only local access. Full mitigation requires an upgrade to Celery 5.2.2 and later. Mitigated on Hosted Intelligence Center instances; Redis instances cannot be accessed externally. Affected versions of the Intelligence Center: IC 2.11.x: Celery 5.0.5 IC 2.10.x: Celery 5.0.5 IC 2.9.x: Celery 4.4.6
Mitigation	Upgrade to IC 2.12.0. See assessment for mitigation on 2.11.x and earlier.
Affected versions	2.11.x and earlier
Notes	N/A